[Mimedefang] Re: Justifying greylisting to management

Yizhar Hurwitz yizhar at mail.com
Mon Feb 27 14:32:44 EST 2006


HI Again.

I would like to share with you more information about the 
MS Exchange -> Greylisting issue I have described before.

First, I'm not the only one...
I found another discussion about the exact same problem:
http://groups.google.com/group/microsoft.public.exchange.admin/browse_thread/thread/36cd5a8dabd3663d/09ff07ac14b116db
I assume that other had or will have similar problems (either at the sender or recipient side).
I have contacted a person in MS and asked him to check this issue - will tell you if I get some answers.

Here are the workarounds that I did to prevent this problem, 
I will share them with you because although this is not an MS Exchange group, 
I think it will be of interest for all those that plan or currently use greylisting:

* I have changed the default retry time outs on the SMTP Virtual server,
here are the values that I currently use (the defaults are in brackets):
First retry = 1 minute (default 10)
Second retry = 2 minutes (default 10)
Third retry = 15 minutes (default 10)
Subsequent retry = 30 minutes (default 15)

* I have configured a scheduled task that restarts the SMTP Service every day.

* I have configured specific domains to route via ISP .

Here are some answers to your comments:

> From: Jan Pieter Cornet <johnpc at xs4all.nl>
> 
> > However - the bottom line was the important emails (important for both 
> > sender and recipient) where delayed for more then 1 week, without any 
> > notification to sender nor recipient!
> 
> That sounds like an enormous bug in the setup on the exchange side.

I agree that it is a bug, however I think that it is a bug in the software itself and not in the specific setup.

> > * I assume that this is not a single specific issue but does/will 
> > probably affect customers in other similar scenarios.
> 
> I doubt it. To be blunt - it sounds like an incompetently managed
> Exchange server. Sure, some issue like this are likely to be present in
> more than one location - dumb admins are everywhere, and not only behind

I agree that in first look is "sounds and looks" like a misconfiguration, but please believe me that it is not that simple.
My skills are not the main issue here.

> winders machines. But that's the whole point. We detect spammers in
> basically two ways - by their breaking of RFCs, and by the content
> of their message. Greylisting falls in the first category.

OK.

> Now I'm not too fond of Exchange, but I do know a little bit about
> MS Exchange, and I am positive that a properly configured exchange
> server has no trouble dealing with a greylisting mailserver.

I thought so before until I had that problems.
I assume and hope that a hotfix will be released in few weeks.

> Now, all exchange experts I've spoken to, agree that one of the cardinal
> mistakes you can make in setting up an exchange server is letting it talk
> directly to the internet at large - you should always put it behind a
> sendmail(or other unix MTA) box that does the actual mail receiving and
> transmitting into the whole bad world for it. (However, those deeply
> inundated with M$ will only very reluctantly admit this). It looks like
> in your situation you made at least this setup error.
Exchange is sending/receiving directly to the Internet.
This is a very common configuration in small businesses and also in larger deployments.
I do try to convince my clients to install a mail relay (such as sendmail/MD/clamav) for incoming mail.
This is not because of Exchange limitations but simply for additional security and filtering.
I also try to configure most mail servers to relay via smart host at ISP - but this is not always applicable.

> > * My point is that you should also take into account that greylisting 
> > might cause more severe problems and not only delays of few minutes,
> > and this should be added to the "cons" count against greylisting.
> 
> I'd say that counts as one of the "cons" of incompetence :) Temporary
> failures do happen, occasionally, independent of greylisting. If your
> setup cannot handle that, then you have a problem.
I agree that I have a problem.
I wrote this email because I think that it is important and valuable information for you all.

My main point is:
If you are going to implement greylisting - go ahead, that is your choice.
But you should be aware that in addition to the planned X minutes delay of email which is the direct result of it,
you might encounter more severe problems like the one I described.
And if by any chance this happens to you (weather you are managing the sender or recipient mail server), 
you will have more info to troubleshoot the problem with the administrator at the other side.
In the specific incidents that I had, it caused important business emails to be delayed for days with no NDR nor delay notification.
Again - I do agree that MS Exchange at my side seems to be the cause of the problem, not the greylisting recipient server.


> From: "David F. Skoll" <dfs at roaringpenguin.com>
> 
> Now, there *are* some marginal SMTP servers that fail in the following
> scenario:
> 
> C: HELO myname.domain.com
> S: 250 whatever
> C: MAIL FROM:<foo at domain.com>
> S: 250 2.1.0 go ahead
> C: RCPT TO:<recipient at domain.com>
> S: 451 4.7.1 greylisting; try in 2 minutes
> C: DATA
> S: 503 5.0.0 need RCPT!

As far as I checked using the SMTP logs at my side, this is not the case.
Exchange does understand the tempfail, but for some strange reason it fails to retry later.
This does not happen all the time and I don't know why it does retry successfully many times but fails to do so other times.
Here is a snip from my SMTP logs (I have masked user names with xxxx and yyyy):

OutboundConnectionResponse [02/Dec/2005:00:32:04 +0200] "- -?220 mailgw1.technion.ac.il ESMTP Postfix  (NO UCE!) SMTP" 0 51
OutboundConnectionCommand [02/Dec/2005:00:32:04 +0200] "EHLO -?lahat-tr.lahat.co.il SMTP" 0 4
OutboundConnectionResponse [02/Dec/2005:00:32:04 +0200] "- -?250-mailgw1.technion.ac.il SMTP" 0 26
OutboundConnectionCommand [02/Dec/2005:00:32:04 +0200] "MAIL -?FROM:<xxxx at lahat.co.il> SIZE=326947 SMTP" 0 4
OutboundConnectionResponse [02/Dec/2005:00:32:04 +0200] "- -?250 Ok SMTP" 0 6
OutboundConnectionCommand [02/Dec/2005:00:32:04 +0200] "RCPT -?TO:<yyyy at tx.technion.ac.il> SMTP" 0 4
OutboundConnectionResponse [02/Dec/2005:00:32:41 +0200] "- -?450 <yyyy at tx.technion.ac.il>: Recipient address rejected: Greylisting in action, please try later  SMTP" 0 101
OutboundConnectionCommand [02/Dec/2005:00:32:41 +0200] "RSET - SMTP" 0 4
OutboundConnectionResponse [02/Dec/2005:00:32:41 +0200] "- -?250 Ok SMTP" 0 6

I have searched the logs and didn't find any retry attempts later for that specific address.
In other emails, I did see that Exchange retry the message as required. Strange...

For Your Information.
Bye
Yizhar





More information about the MIMEDefang mailing list